	\documentclass[]{beamer}
% Class options include: notes, notesonly, handout, trans,
%                        hidesubsections, shadesubsections,
%                        inrow, blue, red, grey, brown

% Theme for beamer presentation.
\usepackage{beamerthemetree} 
\usepackage[utf8]{inputenc}
\usepackage{graphicx}
% Other themes include: beamerthemebars, beamerthemelined, 
%                       beamerthemetree, beamerthemetreebars  

\title{Identification and Authentication}    % Enter your title between curly braces
\author{Tobias Rusås Olsen and Lars Hopland Nestås}    % Enter your name between curly braces
\institute{tol060@student.uib.no - lma029@student.uib.no}      % Enter your institute name between curly braces
\date{\today}                    % Enter the date or \today between curly braces
\begin{document}

% Creates title page of slide show using above information
\begin{frame}
  \titlepage

\end{frame}
\note{Talk for 30 minutes} % Add notes to yourself that will be displayed when
                           % typeset with the notes or notesonly class options

\section[Outline]{}

% Creates table of contents slide incorporating
% all \section and \subsection commands
\begin{frame}
  \tableofcontents
\end{frame}


\section{I \& A introduction }

\begin{frame}
  \frametitle{According to the book:}   % Insert frame title between curly braces
	\begin{center}
\textit{Identification and authentication is to \textbf{recognize} an individual and \textbf{validate} the individual's identity.}
	\end{center}
\end{frame}

\begin{frame}
  \frametitle{Authentication}   % Insert frame title between curly braces
	\begin{itemize}
		\item<1-> Authentication is the process of establishing confidence in the truth of some identity claim.
			\begin{itemize}
				\item<2-> \textit{“My name is Lars Hopland Nestås”}
				\item<3-> \textit{“I am a student”}
				\item<4-> \textit{"I am 1 meter tall"}
			\end{itemize}
		\item<5-> Authentication can only provide a level of confidence in a claim
	\end{itemize}

\end{frame}

\begin{frame}
  \frametitle{I \& A service}   % Insert frame title between curly braces

  \begin{itemize}
  \item<1-> The I \& A service addresses the need to recognize an actor that is interacting with a business system.
  \item<2-> An actor that interacts with a system may be a human being, a process, or an other entity.
  \item<3-> The result of a I \& A service often supports other services, such as access control, accounting services.
  \end{itemize}
\end{frame}


\begin{frame}
  \frametitle{Categories of I \& A}   % Insert frame title between curly braces
	\begin{center}
		\includegraphics[scale=.8]{individual_identification.png} \\
		\includegraphics[scale=0.8]{group_identification.png} 
	\end{center}
\end{frame}

\begin{frame}
  \frametitle{Generic interaction model of I \& A}   % Insert frame title between curly braces
	\begin{center}
		\includegraphics[scale=.8]{genericinteraction.png} 
	\end{center}
\end{frame}


\section{I \& A requirements}
\begin{frame}
\frametitle{}
\begin{center}
I\&A Requirements
\end{center}
\end{frame}

\begin{frame}
  \frametitle{I \& A requirements}   % Insert frame title between curly braces

  \begin{itemize}
  \item<1-> This pattern provides a common generic set of I\&A requirements.
  \item<2-> This pattern also helps you to apply the general requirements to your spesific situation.
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Context}   % Insert frame title between curly braces

  \begin{itemize}
  \item<1-> An organization or project understands its planned uses of I\&A, for example from applying \textbf{Enterprise security services(6.7)}
  \item<2-> \ldots or from applying one or more of the pattern systems that uses I\&A, such as the pattern for access control.
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Problem}   % Insert frame title between curly braces

  \begin{itemize}
  \item<1-> Requirements for I\&A often conflict with each other, and trade-offs are often necessary.
  \item<2-> Strength of protection with I\&A tends to conflict with ease of use.
  \end{itemize}
  \begin{center}
\includegraphics[scale=.3]<2->{dilbert-password2.png}
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Outcome of I\&A situations}   % Insert frame title between curly braces

  \begin{center}
\includegraphics[scale=.6]{7-1.jpg} 
\end{center}

\end{frame}


\begin{frame}
\frametitle{Solution}
The requirements process typically includes these four steps:
\begin{enumerate}
\item<2-> Establish the domain for which the I\&A service is needed
\begin{itemize}
  \item<3-> Ensure the domain is identified and scoped
  \item<3-> Typical examples are: \begin{itemize}
                                \item Information system
                                \item Physical facility
                                \item Network
\end{itemize} 
\item<3-> I\&A requirements can vary of time \begin{itemize}
                                           \item Building with work
                                           hours/outside work hours
                                         \end{itemize}
\end{itemize}                                      
\item<4-> Specify a set of factors that affect specialization and importance of
requirements
\item<5-> Specify I\&A requirements for the target I\&A domain

\item<6-> Define relative importance for the specific requirements
\end{enumerate}


\end{frame}

\begin{frame}
  \frametitle{Generic requirements}   % Insert frame title between curly braces
	The generic requirements are as follows
	\begin{itemize}
	\item<2-> Accurately Detect Imposters
	\item<2-> Accurately Recognize Legitimate Actors
    \item<2-> Minimize Mismatch with user Characteristics
    \item<2-> Minimize Time and Effort to Use
	\item<2-> Minimize Risks to User Safety
	\item<2-> Minimize Costs of Per-user Setup
	\item<2-> Minimize Changes Needed to Existing System Infrastructure
	\item<2-> Minimize Costs of Maintenance, Management and Overhead
	\item<2-> Protect I \& A Service and Assets
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Generic requirements}   % Insert frame title between curly braces
	\begin{itemize}
	\item<1-> Each generic requirement may have one or several factors
	\item<2-> Each factor will have an impact on the priority of the requirement
  \end{itemize}
  
  \begin{center}
\includegraphics[scale=.5]<3->{factors.png} 
\end{center}
\end{frame}


\begin{frame}
\frametitle{Example}
\begin{itemize}
  \item<1-> The new museum gemstone wing needs I\&A services
  \item<2-> It uses the museum intranet.
  \item<3-> Based on the ENTERPRISE SECURITY SERVICES, the museum recognizes the
  need for security  
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Example continued}
The come up with some situations that require I\&A
  services:\begin{itemize}
             \item<1-> Physical access to museum during business hours
             \item<2-> Remote on-line access to the museum intranet
             \item<3-> Access to highly sensitive museum information assets
             \item<4-> \ldots and many more 
           \end{itemize}
\end{frame}

\begin{frame}
\frametitle{Example continued (2)}
\begin{itemize}
  \item A single I\&A mechanism is not sufficient
  \item They need a clear and balanced set of requirements for each situation
  that requires I\&A.
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Example resolved}
\begin{itemize}
  \item Identify each situation as a seperate domain, with a seperate set of
  requirements.
  \item We will look at the domain ``Accessing the museum information system''
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Example resolved (2)}
\includegraphics[scale=.4]{7-3.jpg}
\end{frame}

 
\begin{frame}
\frametitle{Example resolved}
Most important:
\begin{itemize}
  \item<1-> Accurately detect imposters
  \item<2-> Minimize risk to user safety
  \item<3-> Minimize changes needed to existing infrastructure
  \item<4-> Protect I\&A assets
\end{itemize}
\end{frame}



\begin{frame}
\frametitle{Known Uses}
The pattern is written by the MITRE Corporation in consolidation with their
multiple costumers, and the approach is normally used informally by these
costumers.

More discussions of I\&A requirements:
\begin{itemize}
  \item OMB2003
  \item ISO15408
  \item SEI2004
  \item Firesmith2003
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Consequences}
Benefits:
\begin{itemize}
  \item<1->Explicit definition of I\&A domains and a clear connection of
  requirements for each domain
  \item<2->Conscious selection of I\&A requirements
  \item<3->Explicit analysis of trade-offs which encourages balance and
  prioritizing \begin{itemize}
                 \item Help avoid too weak or too strong I\&A
\end{itemize}
\item<4-> Documentation of I\&A requirements which can be looked at when needed.
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Liabilities}
Liabilities:
\begin{itemize}
  \item<1-> Investment of resources
  \item<2-> Danger of over-engineering, too many options can confuse stakeholders
  \item<3-> Long and costly formal selection, perhaps with too much overhead
  \item<4-> Specific circumstances might not be covered by the generic I\&A
  requirements
  \item<5-> Documentation must be updated and maintained
  \item<6-> Perception of I\&A may differ throughout the organization
\end{itemize}

\end{frame}

\section{Automated I \& A design alternatives }

\begin{frame}
\frametitle{}
\begin{center}
Automated I \& A design alternatives
\end{center}
\note{Insert funny picture or \ldots something}

\end{frame}

\begin{frame}
  \frametitle{Automated I \& A design alternatives}
  
  \note{What is it?}
  A pattern for describing techniques for automated I\&A. Help you choose
  an appropriate I\&A strategy, consisting of one or more techniques.
  
  Examples of techniques:
  \begin{itemize}
    \item<1-> Password
    \item<2-> Biometrics
    \item<3-> Hardware Token
    \item<4-> PKI
    \item<5-> I\&A of unregistered users
  \end{itemize}
  
  \end{frame}

\begin{frame}
  
  \frametitle{Example}
  
  Indiana Jones is a museum employee who travels the world to collect new
  artifacts for the museum. He needs access to the museum intranet to
  \begin{itemize}
    \item<1-> Check Email
    \item<2-> Access Museum Database
  \end{itemize}
  
  His requirements are:
  \begin{itemize}
    \item<3-> Remote access
    \item<4-> Easy to use
  \end{itemize}
  
  \end{frame}

\begin{frame}
\frametitle{Example continued}
  
  The museum system engineer on the other hand, has these requirements:
  \begin{itemize}
    \item<1-> High accuracy (Reject non-legitimate users)
    \item<2-> Limit I\&A overhead
  \end{itemize}
  
  These four are considered High Priority in the I\&A REQUIREMENTS-pattern,
  and now the intranet architect needs to select I\&A techniques to satisfy
  these requirements.

\end{frame}

\begin{frame}
\frametitle{Context}

\begin{itemize}
  \item<1-> Person applying pattern understand the requirements and their
  relative importance.
\item<2-> A decision has been made to use automated I\&A
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Problem}

\begin{itemize}
  \item<1-> Several I\&A techniques to choose from
  \item<2-> Different techniques have different strength and weaknesses
  \item<3-> No one technique is best in all cases
\end{itemize}

A combination of techniques can sometimes satisfy the requirements better then a
single technique.

\end{frame}

\begin{frame}
\frametitle{Categories of automated I\&A techniques}

It's normal to look at four categories for determining combinations of
techniques:

\begin{itemize}
  \item<1-> Something you know
  \item<2-> Something you have
  \item<3-> Something you are
  \item<4-> Where you are
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Problem continued}

The I\&A strategy is often influenced by choices made by the enterprise.

The enterprise can be more efficient in terms of cost, training and maintenance
if they choose the same I\&A technique for the same I\&A requirements
throughout the system.

A single technique in an organization can be attractive, but dangerous because:

\begin{itemize}
  \item Single point of failure $\longrightarrow$ violates defence-in-debth
\end{itemize}

If an imposter gets access one place, he can access all places.

\end{frame}

\begin{frame}
\frametitle{Solution}

\begin{itemize}
  \item<1-> Review characteristics in each I\&A technique
  \item<2-> Gather necessary information
  \item<3-> Define specific technique profiles for the chosen domain
  \item<4-> Find the techniques that matches the criteria for the domain
  \item<5-> If one technique is not enough: consider which techniques to combine
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Implementation}
More detailed version of the solution.
\end{frame}

\begin{frame}
\frametitle{Gather inputs}
\begin{itemize}
  \item<1-> Definition of I\&A-domain
  \item<2-> I\&A requirements
  \begin{itemize}
    \item Enterprise restrains
    \item Importance of each requirement
  \end{itemize}
  \item<3-> General value of factors for each technique
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Define specific technique profile for domain}
From the gathered inputs, you define which requirements and priorities that are
essential for the domain.
\end{frame}

\begin{frame}
\frametitle{Compare requirements with individual techniques}
If there exists one technique that satisfy the needs of the technique profile:
Choose that one. Else:
Look at combinations of techniques.

Combine techniques with complementary strength and weaknesses.
\end{frame}



\begin{frame}
\frametitle{Techniques}
\begin{itemize}
  \item User ID/Password
  \item Biometrics
  \item PKI
  \item Hardware Token
  \item Unregistered users
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{User ID/Password}
Strengths:
\begin{itemize}
  \item<1-> Cost effectiveness
  \item<2-> Usage requirements
\end{itemize}

Weaknesses:
\begin{itemize}
  \item<3-> Good passwords can be hard to remember
  \item<4-> Bad passwords are easily stolen/hacked
  \item<5-> Hard to maintain good password practise
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Biometrics}
\begin{columns}[c]
  \column{2in}  % slides are 3in high by 5in wide
Strengths:
\begin{itemize}
  \item<1-> Potential for high reliability
\end{itemize}

Weaknesses:
\begin{itemize}
  \item<2-> Costly
  \item<3-> Environment, ageing and surgery can affect reading
  \item<4-> Not suitable for software actors
  \item<5-> Some are not safe
  \item<6-> If stolen, there might be a big impact
\end{itemize}

  \column{2in}
\includegraphics[scale=.3]{biocom5.png}<3->
  \end{columns}
\end{frame}

\begin{frame}
\frametitle{PKI}
Strengths:
\begin{itemize}
  \item<1-> Scores very high on reliability with a sophisticated user base
  \item<2-> Works well for the Swiss Medical community \note{Remove? :D}
\end{itemize}

Weaknesses:
\begin{itemize}
  \item<3-> High cost
  \item<4-> Must trust third-party issuing the certificates
  \item<5-> Trust employees to be able to validate certificates and to actually
  do so
  \item<6-> Must trust hardware and software not to compromise your keys, or use
  weak encryption
  \item<7-> High infrastructure impact
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Hardware Token}
There are different kinds of tokens, and their reliability varies.

Strengths
\begin{itemize}
  \item<1-> High reliability if combined with password
  \item<2-> Good at not denying legitimate users (false negatives) 
\end{itemize}

Weaknesses
\begin{itemize}
  \item<3-> Not suitable for software actors
  \item<4-> Some types of tokens require moderate to high cost per connection
  \item<5-> You must bring it with you
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Unregistred users}
Strengths:
\begin{itemize}
  \item<1-> Easy to use
  \item<2-> Cost effective
  \item<3-> Scales to a very large user base 
\end{itemize}

Weaknesses:
\begin{itemize}
  \item<4-> Not good at preventing false positives or false negatives
\end{itemize}

\end{frame}

\begin{frame}
 \includegraphics[scale=.25]{7-4.jpg}
\end{frame}


\begin{frame}
\frametitle{Considerations for combining techniques}
\begin{itemize}
  \item<1-> Some techniques complement others
  \item<2-> Often wise to combine techniques from different categories 
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Other considerations}
Choices made in similar I \& A-domains,in the enterprise, can influence the
decision for this domain.

The organisation should choose between an homogeneous or heterogeneous approach.
Please add more information about this.
\end{frame}

\begin{frame}
\frametitle{Example Resolved}
The requirements were:
\begin{itemize}
  \item High accuracy
  \item Easy to use
  \item Remote access
  \item Limit overhead 
\end{itemize}
 
PKI and Biometrics with token would take care of high accuracy, but the ``Ease
to use'' and ``Limit overhead'' eliminates those.

The best solution is hardware token combined with user id/password, because they
have the best match overall with the requirements.
\end{frame}

\begin{frame}
\frametitle{Known Uses}
The pattern is written by the MITRE Corporation in consolidation with their
multiple costumers, and the approach is normally used informally by these
costumers.

The specific I \& A techniques are widely known and used.

\end{frame}

\begin{frame}
\frametitle{Consequences}
Benefits
\begin{itemize}
  \item<1-> Awareness of elements in decisions for select I\&A techniques
  \item<2-> Conscious and informed decision about I\&A to support the I\&A
  requirements
  \item<3-> Better balance between competing I\&A forces. Choose the right man
  for the job.
  \item<4-> Provides some guide in combining I\&A techniques.
  \item<5-> Enterprise optimization by promoting integration of I\&A choices
  for multiple domains
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Consequences (2)}
 
 Liabilities
 \begin{itemize}
   \item<1-> Requires an investment in resources
   \item<2-> Focus on specific I\&A techniques \note{Solution: Bring in external
   techniques if needed}
   \item<3-> Perception of I\&A can differ throughout the organization.
 \end{itemize}
\end{frame}

\section{Password design and use}

\begin{frame}
  \frametitle{}   % Insert frame title between curly braces
  
\begin{center}
Password design and use
\end{center}
 
\end{frame}

\begin{frame}
  \frametitle{Context}   % Insert frame title between curly braces
  
  \begin{itemize}
  \item<1-> A password mechanism has been selected for user authentication
  \item<2-> \textit{Authentication is the process of establishing confidence in the truth of some identity claim.}

   \end{itemize}
 
\end{frame}

\begin{frame}
  \frametitle{Problem}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> People need to remember their passwords
  \item<2-> Passwords that are difficult to guess tend to be difficult to remember
  \item<3-> Passwords can be stolen or guessed
  \end{itemize}
  \begin{center}
\includegraphics[scale=.4]{dilbert-password.png} 
\end{center}


\end{frame}

\begin{frame}
  \frametitle{Problem}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> Using a single password in many contexts increases the potential scope of damage from password theft
  \item<2-> Using different password in each context increases the difficulty of remembering each one
  \item<3-> Passwords that are recorded can be discovered by someone else
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
  We will have a look at an Enterprise Relationship Management system, from one of the leading supplier of accounting and administration software in Norway.
 
  \begin{itemize}
  \item<2-> Invoices
  \item<2-> Salary
  \item<2-> Accountancy
  \item<2-> Budget
  \item<2-> CRM
  \item<2-> ...
\end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=.4]{system4.png} 
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=.4]{system5.png} 
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=.4]{system6.png} 
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=.4]{system7.png} 
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Solution and Implementation}   % Insert frame title between curly braces
 We need to consider the following factors:
  \begin{itemize}
  \item<1-> Design and definition of passwords
  	\begin{itemize}
		\item<2-> Composition
		\item<2-> Length range
		\item<2-> Source
	\end{itemize}
  \item<1-> Use of passwords
  	\begin{itemize}
  		\item<3-> Lifetime
  		\item<3-> Ownership
  		\item<3-> Entry
  		\item<3-> Authentication period
  	\end{itemize}
  \item<1-> Protection of passwords
  	\begin{itemize}
  		\item<4-> Distribution
  		\item<4-> Storage
  		\item<4-> Transmission
    \end{itemize}
   \end{itemize}
\end{frame}




\begin{frame}
  \frametitle{Design and definition of Passwords - Composition}   % Insert frame title between curly braces
  Bad practise: 
  \begin{itemize}
  \item<2-> \textbf{Do not use:} your account name, word that appears in dictionary, acronyms, alphabetic sequences, numeric sequences, keyboard sequences, titles of books, movies, poems, essays, songs, CD's, names of mythological, legendary, religious or fictional characters, object, race, place or event, words with some or all the letters reversed, conjugation or plurals of words, words with the vowels deleted, only the first or the last character in uppercase, only vowels in uppercase, only consonants in uppercase, personally-related information such as initials, name of family members, birthday, family member's birthdays, hobbies, interests, job title, publicly shown example of a good password \ldots

  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Composition}   % Insert frame title between curly braces
  Good practise: 
  \begin{itemize}
  \item<2-> Passwords should be composed from a defined set of ASCII characters
  \item<3-> Include a digit or punctuation
  \item<4-> Choose a phrase or a combination of words
  \item<5-> Allow two words separated by a non-letter non-digit character
  \item<6-> Don't reuse passwords or make only minor variations such as incrementing a digit

  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Length range}   % Insert frame title between curly braces
 \begin{center}
 Length range is the set of acceptable lengths of passwords. An average person can easily remember a maximum of seven items.
\end{center}
  \begin{itemize}
  \item<2-> Minimum length equal or greater than four
  \item<3-> The length range should allow a minimum of 10,000 possible passwords
  \item<4-> A pass phrase longer than the acceptable length should be transformed into a virtual password of acceptable length of storage.
   \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Source}   % Insert frame title between curly braces
\begin{center}
Source is the set of acceptable entities that can create or select a valid password from among all acceptable passwords
\end{center}
  \begin{itemize}
  \item<2-> Example of sources: the user, the security officer, a automated password generator
  \item<3-> All passwords that may be included in a new system when it is delivered, transferred or installed should be immediately changed.
 \item<4-> Users who create or change their own personal password should be instructed to follow the good practice in the composition section.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=.5]{dilbert_passwords.jpg} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Design and definition of Passwords}   % Insert frame title between curly braces
\begin{itemize}  
\item Composition
  \begin{itemize}
  \item<2-> The users of the "time registration application" only enters their username, and no password(!)
  \item<2-> The users of the "salary application" uses a self chosen password.
  \end{itemize}
  
 \item Length range
 \begin{itemize}
 	\item<3-> The user passwords for the "salary application" are truncated if they are more than 16 characters
 \end{itemize}
 
 \item Source
 \begin{itemize}
 	\item<4-> The default password the "time registration application" is the name of the software vendor
 	\item<4-> This password is not changed during installation
 \end{itemize}
 
\end{itemize}
\end{frame}


\begin{frame}
  \frametitle{Use of passwords - Lifetime}   % Insert frame title between curly braces
\begin{center}
Lifetime is the maximum acceptable period of time which a password is valid.
\end{center}
  \begin{itemize}
  \item<2-> Maximum lifetime of one year.
  \item<3-> Password should be replaced quickly if compromise of the password is suspected or confirmed
 \item<4-> Forgotten password should be replaced, not reissued
 \item<5-> The password should be capable of maintaining a record of when a password was created and changed
  \end{itemize}
\end{frame}


\begin{frame}
  \frametitle{Use of passwords - Ownership}   % Insert frame title between curly braces
\begin{center}
Ownership is the set of individuals who are authorized to use a password.
\end{center}
  \begin{itemize}
  \item<2-> Passwords used to authenticate identity should be owned only by the individual with that identity.
  \item<3-> Each individual should be responsible for providing protection against loss or disclosure of passwords in their possession.
  \end{itemize}
\end{frame}


\begin{frame}
  \frametitle{Use of passwords - Entry}   % Insert frame title between curly braces
\begin{center}
Entry is the set of acceptable methods by which a password may be entered by a user for authentication or authorization purposes.
\end{center}
  \begin{itemize}
  \item<2-> The password should be entered in a manner that protects the password from observation.
  \item<3-> User should be allowed more than one attempt to enter a password correctly.
  \item<4-> A maximum of three attempts is considered adequate for typical users of a computer system
  \item<5-> The response to exceeding the maximum numbers of retries can be account lock-down, account suspension for a specified time, or account release by security officer only.
  \end{itemize}
  
\end{frame}

\begin{frame}
  \frametitle{Use of passwords - Authentication period}   % Insert frame title between curly braces
Authentication period is the maximum acceptable period between any initial authentication process and subsequent re-authentication processes during a single terminal session.
  \begin{itemize}
  \item<2-> Individual passwords should be authenticated each time a claim of identity is made
  \item<3-> A system should have log-on time-outs established. If there is no user activity for a specified period of time (the time-out period) the user is automatically logged off.

  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Use of passwords}   % Insert frame title between curly braces
    \begin{itemize}
  \item Lifetime
  \begin{itemize}
  \item<2-> The passwords for the "salary application" never expires
  \end{itemize}
  
  \item Ownership
    \begin{itemize}
  \item<3-> The users of the "time registration application" don't have a password
  \item<3-> Several applications uses the same "sa" account to connect to the database
  \end{itemize}
  
  \item Entry
   \begin{itemize}
  \item<4-> There exist no maximum attempts of entering passwords for "the salary application".
  \end{itemize}
  \item Authentication period
   \begin{itemize}
  \item<5-> There exist no time-out functionality for the ERM system.
  \end{itemize}
 \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Protection of passwords - Distribution}   % Insert frame title between curly braces
\begin{center}
Distribution is the set of acceptable methods for providing (transporting) a new password to its owner(s), and to all places where it will be needed in the information system.
\end{center}
  \begin{itemize}
  \item<2-> For example in a separately-mailed envelope
  \item<3-> Temporary storage during the distribution must be erased.
  \item<4-> Keep a record of time and date of password issuing/generation, and to whom it was distributed, but not the password itself
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Protection of passwords - Storage}   % Insert frame title between curly braces
\begin{center}
Storage is the set of acceptable methods of storing a valid password during its lifetime
\end{center}
  \begin{itemize}
  \item<2-> Only the password mechanism should be able to access the passwords
  \item<3-> Some systems separate the password file from the authorized user file.
  \item<4-> Some systems encrypt the passwords before they are stored.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Protection of passwords - Transmission}   % Insert frame title between curly braces
\begin{center}
Transmission is the set of acceptable methods for communicating a password from its point of entry to its point of comparison with a stored, valid password
\end{center}
  \begin{itemize}
  \item<2-> The transmission should hold she same level of protection as the system or the data, that the password is protecting
  \item<3-> Unencrypted password should be transmitted as ASCII characters if interchanged between systems, while encrypted passwords and virtual passwords should be transmitted either as 64-bit binary fields, or as the ASCII representation of the hexadecimal character set 
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
 \begin{columns}[c]
  \column{2in}  % slides are 3in high by 5in wide
 The passwords for the Salary application is stored in a table in the database. 
  \column{2in}
\includegraphics[scale=.3]{salaryapp.png}

  \end{columns}
 \begin{center}
\includegraphics[scale=.5]{brukerliste.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
 Decrypting the encrypted password "ssphlojolqnhlqsjmjngtsrkirrqrmlf".
 \begin{center}
\includegraphics[scale=.3]{sortingpassword.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
Decryption of the first "password character" - \textbf{r}

\begin{center}
\includegraphics[scale=.3]{constants.png} 
\end{center}

  \begin{itemize}
  \item<2-> We lookup the char \textit{r} and \textit{l} in the UTF8-table.
  \item<3-> $r=114$ and $l=108$
  \item<4-> The decryption function is $(key \: char – constant_{1}) \cdot 16 + (password \: char – constant_{2})$
  \item<5-> $(108 – 104) \cdot 16 + (114 – 102) = 76$
  \item<6-> 76 equals \textbf{L} in the UTF8-table
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
Lets have a look at the applications password for connecting to the database
\begin{center}
\includegraphics[scale=.2]{sapassword.png} 
\end{center}
 \begin{itemize}
  \item<2-> The password is stored in the Windows registry as default, on every client machine(!)
  \item<3-> The default password is the name of the software vendor
  \item<4-> The password is stored in plaintext
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
Hurray! The password can be encrypted!
\begin{center}
\includegraphics[scale=.5]{sqlkrypt.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
But \ldots if we "encrypt" \textit{links2007!} several times, this is the result:\\
\begin{center}
\begin{tabular}{|c|c|c|}
\hline Diff 1 & Diff 2 & Diff 3 \\ 
\hline 87yrby\_J\_To!88 & 63n8r3\_RZHE!65 & 58eGaFH33ZU!61 \\ 
\hline 48yrby\_J\_To!49 & 48n8r3\_RZHE!50 & 70eGaFH33ZU!73 \\ 
\hline 45yrby\_J\_To!46 & 88n8r3\_RZHE!90 & 47eGaFH33ZU!50 \\ 
\hline 
\end{tabular} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
  Decryption of \textbf{58eGaFH33ZU!61} $\Longrightarrow$ \textit{links2007!}

\begin{enumerate}
\item<1-> Calculate $61 - 58 = 3$
\item<2-> Use the third key string\\ \includegraphics[scale=.4]{keystring.png} 
\item<3-> Find the $ith$ encrypted character in the key string, and replace it with the $ith$ character to the left in the key string
\end{enumerate}

\end{frame}



\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=3.5]{code.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Transmission}   % Insert frame title between curly braces
All passwords are transmitted in plain text.
\end{frame}

\begin{frame}
  \frametitle{Example resolved}   % Insert frame title between curly braces
\begin{center}
Suggestions?
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Consequences}   % Insert frame title between curly braces
The benefits of applying this pattern:
 \begin{itemize}
  \item<2-> Applying this pattern results in increased protection of passwords and consequently higher accuracy of I \& A.
  \item<3-> The potential number of false positives resulting from such things as password guessing is expected to be reduced
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Consequences}   % Insert frame title between curly braces
The liabilitys of applying this pattern:
 \begin{itemize}
  \item<2-> Applying this pattern may lead you to conclude that passwords is the only I\&A technique that needs to be used.
	It is often better practice to adopt a strategy that combines passwords with another technique.
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Is username-password a good solution??}   % Insert frame title between curly braces
\begin{center}
The password must be impossible to remember\\ and never written down.[Smith2002]\\

\includegraphics[scale=.3]{dilbert-password3.png} 
\end{center}

\end{frame}

\section{Biometrics Design Alternatives}

\begin{frame}
\frametitle{}
\begin{center}
Biometrics Design Alternatives
\end{center}
\end{frame}

\begin{frame}
\frametitle{Biometrics Design Alternatives}
\begin{center}
\includegraphics[scale=.3]{dilbert-biometrics.png}
\end{center}
\end{frame}
\begin{frame}
  \frametitle{Biometrics Design Alternatives}
  Aids the selection of biometric mechanisms to satisfy the I\&A requirements.
  
  ``Something you are''
  
  Examples:
  \begin{itemize}
    \item<1-> Face recognition
    \item<2-> Finger image
    \item<3-> Hand geometry
    \item<4-> Iris recognition
    \item<5-> Retinal scanning
    \item<6-> Signature verification
    \item<7-> Speaker verification
  \end{itemize}
\end{frame}

\begin{frame}
\frametitle{Example}
The new gemstone wing in the museum has a web server with highly valued assets,
with sensitive information.

Which biometric mechanisms are appropriate?
\end{frame}

\begin{frame}
\frametitle{Context}
Use the requirements from the I\&A. The decision to use Biometrics was done in
the AUTOMATED I\&A DESIGN ALTERNATIVES-pattern.
\end{frame}

\begin{frame}
\frametitle{Problem}
The different mechanisms have different strength and weaknesses. One technique,
of a fixed combination of techniques can not solve the I\&A-challenge for ALL
domains in the enterprise. A decision must me made.

The selection must resolve these forces:
\begin{itemize}
  \item<1-> Biometrics has vulnerability and limitations
  \item<2-> False acceptance \begin{itemize} 
                           \item Can be stolen
                           \item Actor B can enroll as actor A
\end{itemize}
\item<3-> False rejection \begin{itemize}
  \item Biometrics measurements can vary
\end{itemize}
\item<4-> Biometrics has two conflicting error types
\begin{itemize}
  \item<5-> if(falseAcceptance.increase) falseRejection.decrease 
  \item<6-> if(falseRejectance.increase) falseAcceptance.decrease
\end{itemize}
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Problem(2)}

Consequences of false acceptance/rejection:
\begin{itemize}
  \item<1-> Unauthorized access
  \item<2-> Lack of accountability
  \item<3-> Reduced productivity
  \item<4-> Lack of accountability (again)
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Problem (3)}
Biometrics have other forces to consider:
\begin{itemize}
  \item<1-> Some techniques more costly than others
  \item<2-> Some require more equipment
  \item<3-> Some are less safe
  \item<4-> Costly for the enterprise to use several biometric I\&A techniques
\end{itemize} 
\end{frame}

\begin{frame}
\frametitle{Solution}
\begin{itemize}
  \item Review characteristics of available biometric mechanisms and select one
  \item Different mechanisms have different strengths and weaknesses
  \item This pattern help you choose the right one
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Solution (2)}
\includegraphics[scale=.6]{7-5.jpg}

\end{frame}

\begin{frame}
\frametitle{Dynamics}
Applying the pattern
\begin{itemize}
  \item<1-> If its a stand-alone mechanism - the process is complete
  \item<2-> If it's combined with another technique (typical a non-biometric
  one), the techniques must be integrated to form the solution
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Implementation}
The techniques are divided into two categories:
\begin{itemize}
  \item Physical
  \item Behaviour
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Implementation (2)}
Other existing biometric techniques:
 \begin{columns}[c]
  \column{2in}  % slides are 3in high by 5in wide
 \includegraphics[scale=.3]{biocom1.png}
  \column{2in}
\includegraphics[scale=.3]<3->{biocom2.png}
\end{columns}
\begin{itemize}
  \item<2-> DNA
  \item<3-> Keystroke dynamics 
  \item<4-> Finger geometry
  \item<5-> Palm geography
  \item<6-> Veincheck/Vein tree
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Implementation (3)}
\includegraphics[scale=.3]{7-6.jpg}
\end{frame}

\begin{frame}
\frametitle{Implementation (4)}
\includegraphics[scale=.3]{7-8.jpg}
\end{frame}

\begin{frame}
\frametitle{Implementation (5)}
\includegraphics[scale=.3]{7-11.jpg}
\end{frame}

\begin{frame}
\frametitle{Implementation (6)}
\includegraphics[scale=.3]{7-12.jpg}
\end{frame}

\begin{frame}
\frametitle{Implementation (7)}
Combining mechanisms:

Use the result from AUTOMATED I\&A DESIGN ALTERNATIVES-pattern
\end{frame}

\begin{frame}
\frametitle{Implementation (8)}
Selecting a biometric mechanism:

The decision should not occur in a vacuum. Use the considerations for each
technique. Enterprise choices also influence.
\end{frame}

\begin{frame}
\frametitle{Example resolved}
Requirements:
\begin{itemize}
  \item<1-> High accuracy
  \item<2-> Easy to use
  \item<3-> Resistant to attacks
\end{itemize}

Appropriate choices: Iris scanning and fingerprint.

\end{frame}

\begin{frame}
\frametitle{Example resolved (2)}
Choice: Fingerprint.
Reason: Safe and easy to use. Interference factors are expected not to be
extreme.
\end{frame}

\begin{frame}
\frametitle{Known uses}
Increased use, but the decision is most often done in ``secrecy''.
\end{frame}

\begin{frame}
\frametitle{Consequences}
Benefits:
\begin{itemize}
  \item<1-> Awareness in decision making
  \item<2-> Conscious and informed decisions
  \item<3-> Encourage better balance between competing biometric techniques.
  Let's you choose the one that fits your requirements best.
  \item<4-> Some assisting in combining techniques.
  \item<5-> Broader organization optimalization by promoting integration of
  biometric techniques across the enterprise
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Consequences (2)}
Liabilities:
\begin{itemize}
  \item<1-> Investment of resources
  \item<2-> Perception of I\&A may differ throughout the organization
  \item<3-> The techniques are less reliable for large user bases.
  \item<4-> False sense of increased security because of expensive and ``cool''
  equipment.
  \item<5-> Expensive enrollment process, must be done in a controlled
  environment
  \item<6-> If the data stored is connected in a network, it is exposed to
  threats like Denial of Service (D.O.S) and intruders stealing samples for later use.
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Conclusion}
Conclusion.

\begin{itemize}
  \item<1-> Specify the requirements for each domain (I\&A requirements)
  \item<2-> Find the appropriate techniques for each domain (Automated I\&A Design
  Alternatives)
  \item<3-> Follow guidelines for each technique (Biometric and Password-patterns)
\end{itemize}

\end{frame}

\begin{frame}
\frametitle{Questions}
\begin{center}
Questions? 
\end{center}

 
\end{frame}

\end{document}
